MS-ISAC ADVISORY NUMBER:
2005-013 Updated
DATE(S) ISSUED:
8/9/2005
8/12/05 - Updated
SUBJECT:
New Vulnerability in Microsoft Plug and Play
ORIGINAL OVERVIEW:
A critical vulnerability exists in the Microsoft Plug and Play (PnP) service which allows an attacker to remotely execute arbitrary code on an affected system. The Plug and Play (PnP) service is used to simplify the installation of new hardware on most Windows-based operating systems. If an attacker successfully exploits this vulnerability, it will give the attacker complete control over the affected system. Exploit code was not publicly available at the time of our original advisory.
August 12, UPDATED INFORMATION:
-
An exploit for this vulnerability has been made available to the public (See http://downloads.securityfocus.com/vulnerabilities/exploits/Win2000-MS05-039.c
) and CSCIC has successfully tested it against a vulnerable host running Microsoft Windows 2000. This significantly increases the potential for this vulnerability to be actively exploited very soon so this patch should be tested and applied immediately if you are using Windows 2000. Microsoft Windows XP and Windows Server 2003, although vulnerable to this issue, require valid authentication credentials in order to be exploited therefore patching XP and 2003 systems is important but not as urgent.
SYSTEMS AFFECTED:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 1 and Service Pack 2
- Microsoft Windows Server 2003 Service Pack 1
RISK:
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home users: High
DESCRIPTION:
A new vulnerability was discovered in Microsoft Plug and Play (PnP), which could be exploited by remote attackers to execute arbitrary commands. The Plug and Play (PnP) service is used to simplify the installation of new hardware on most Windows-based operating systems. On Windows 2000, successful exploitation of this vulnerability allows a remote and unauthenticated attacker to execute arbitrary code on a vulnerable system. Attacks targeting Windows XP Service Pack 1 will require valid logon credentials, and attacks targeting Windows XP Service Pack 2 or Windows 2003 Server will require both valid login credentials, and the ability to log on locally (i.e. physical access).
After successful exploitation, an attacker could take control of a vulnerable system, and perform actions such as install programs, view, change, and delete data, and create user accounts.
Currently there is no workarounds for this vulnerability provided by Microsoft. The only resolution for this vulnerability is to apply the patch provide by Microsoft to all systems.
RECOMMENDATIONS:
CSCIC recommends the following actions be taken:
- Apply the appropriate patch to vulnerable systems as soon as possible after appropriate testing. The patch is available at http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
- Block untrusted incoming traffic from the Internet at your network perimeter.
- Block TCP ports 139 and 445 at the Firewall.
REFERENCES:
Microsoft
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
ISS
http://xforce.iss.net/xforce/alerts/id/203
Secunia
http://secunia.com/advisories/16372/
SecurityFocus
http://www.securityfocus.com/bid/14513
August 12, UPDATED INFORMATION:
Exploit code
http://downloads.securityfocus.com/vulnerabilities/exploits/Win2000-MS05-039.c
This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.
-